difftreelog
refactor remote command management
in: trunk
8 files changed
cmds/fleet/src/cmds/build_systems.rsdiffbeforeafterboth--- a/cmds/fleet/src/cmds/build_systems.rs
+++ b/cmds/fleet/src/cmds/build_systems.rs
@@ -1,9 +1,10 @@
-use std::{env::current_dir, process::Stdio, time::Duration};
+use std::{env::current_dir, time::Duration};
-use crate::{command::CommandExt, host::Config};
+use crate::command::MyCommand;
+use crate::host::Config;
use anyhow::Result;
use clap::Parser;
-use tokio::{process::Command, task::LocalSet, time::sleep};
+use tokio::{task::LocalSet, time::sleep};
use tracing::{error, field, info, info_span, warn, Instrument};
#[derive(Parser, Clone)]
@@ -33,6 +34,9 @@
}
pub(crate) fn should_switch_profile(&self) -> bool {
+ matches!(self, Self::Switch | Self::Boot)
+ }
+ pub(crate) fn should_activate(&self) -> bool {
matches!(self, Self::Switch | Self::Test)
}
}
@@ -108,13 +112,7 @@
dir.path().to_owned()
};
- let mut nix_build = if self.privileged_build {
- let mut out = Command::new("sudo");
- out.arg("nix");
- out
- } else {
- Command::new("nix")
- };
+ let mut nix_build = MyCommand::new("nix");
nix_build
.args([
"build",
@@ -122,9 +120,8 @@
"--json",
// "--show-trace",
"--no-link",
- "--out-link",
])
- .arg(&built)
+ .comparg("--out-link", &built)
.arg(
config.configuration_attr_name(&format!(
"buildSystems.{}.{host}",
@@ -133,6 +130,10 @@
)
.args(&config.nix_args);
+ if self.privileged_build {
+ nix_build = nix_build.sudo();
+ }
+
nix_build.run_nix().await.map_err(|e| {
if action.build_attr() == "sdImage" {
info!("sd-image build failed");
@@ -149,14 +150,11 @@
info!("uploading system closure");
let mut tries = 0;
loop {
- match Command::new("nix")
- .args(["copy", "--to"])
- .arg(format!("ssh://root@{}", host))
- .arg(&built)
- .inherit_stdio()
- .run_nix()
- .await
- {
+ let mut nix = MyCommand::new("nix");
+ nix.arg("copy")
+ .comparg("--to", format!("ssh://root@{host}"))
+ .arg(&built);
+ match nix.run_nix().await {
Ok(()) => break,
Err(e) if tries < 3 => {
tries += 1;
@@ -170,24 +168,20 @@
if let Some(action) = action {
if action.should_switch_profile() {
info!("switching generation");
- config
- .command_on(&host, "nix-env", true)
- .args(["-p", "/nix/var/nix/profiles/system", "--set"])
- .arg(&built)
- .inherit_stdio()
- .run()
- .await?;
+ let mut cmd = MyCommand::new("nix-env");
+ cmd.comparg("--profile", "/nix/var/nix/profiles/system")
+ .comparg("--set", &built);
+ config.run_on(&host, cmd, true).await?;
+ }
+ if action.should_activate() {
+ info!("executing activation script");
+ let mut switch_script = built.clone();
+ switch_script.push("bin");
+ switch_script.push("switch-to-configuration");
+ let mut cmd = MyCommand::new(switch_script);
+ cmd.arg(action.name());
+ config.run_on(&host, cmd, true).await?;
}
- info!("executing activation script");
- let mut switch_script = built.clone();
- switch_script.push("bin");
- switch_script.push("switch-to-configuration");
- config
- .command_on(&host, switch_script, true)
- .arg(action.name())
- .stdout(Stdio::inherit())
- .run()
- .await?;
}
}
Action::Package(PackageAction::SdImage) => {
@@ -195,39 +189,30 @@
out.push(format!("sd-image-{}", host));
info!("building sd image to {:?}", out);
- let mut nix_build = if self.privileged_build {
- let mut out = Command::new("sudo");
- out.arg("nix");
- out
- } else {
- Command::new("nix")
- };
+ let mut nix_build = MyCommand::new("nix");
nix_build
- .args(["build", "--impure", "--no-link", "--out-link"])
- .arg(&out)
+ .args(["build", "--impure", "--no-link"])
+ .comparg("--out-link", &out)
.arg(config.configuration_attr_name(&format!("buildSystems.sdImage.{}", host,)))
.args(&config.nix_args);
if !self.fail_fast {
nix_build.arg("--keep-going");
}
+ if self.privileged_build {
+ nix_build = nix_build.sudo();
+ }
- nix_build.inherit_stdio().run_nix().await?;
+ nix_build.run_nix().await?;
}
Action::Package(PackageAction::InstallationCd) => {
let mut out = current_dir()?;
out.push(format!("installation-cd-{}", host));
info!("building sd image to {:?}", out);
- let mut nix_build = if self.privileged_build {
- let mut out = Command::new("sudo");
- out.arg("nix");
- out
- } else {
- Command::new("nix")
- };
+ let mut nix_build = MyCommand::new("nix");
nix_build
- .args(["build", "--impure", "--no-link", "--out-link"])
- .arg(&out)
+ .args(["build", "--impure", "--no-link"])
+ .comparg("--out-link", &out)
.arg(
config.configuration_attr_name(&format!(
"buildSystems.installationCd.{}",
@@ -238,8 +223,11 @@
if !self.fail_fast {
nix_build.arg("--keep-going");
}
+ if self.privileged_build {
+ nix_build = nix_build.sudo();
+ }
- nix_build.inherit_stdio().run_nix().await?;
+ nix_build.run_nix().await?;
}
};
Ok(())
cmds/fleet/src/cmds/secrets/mod.rsdiffbeforeafterboth--- a/cmds/fleet/src/cmds/secrets/mod.rs
+++ b/cmds/fleet/src/cmds/secrets/mod.rs
@@ -2,18 +2,16 @@
fleetdata::{FleetSecret, FleetSharedSecret},
host::Config,
};
-use age::{Decryptor, Encryptor};
use anyhow::{bail, ensure, Context, Result};
use clap::Parser;
use futures::{StreamExt, TryStreamExt};
use std::{
collections::HashSet,
- io::{self, Cursor, Read, Write},
- iter,
+ io::{self, Cursor, Read},
path::PathBuf,
};
use tokio::fs::read_to_string;
-use tracing::{info, warn};
+use tracing::{info, warn, error};
#[derive(Parser)]
pub enum Secrets {
@@ -313,6 +311,7 @@
}
let mut to_remove = Vec::new();
for name in &config.list_shared() {
+ info!("updating secret: {name}");
let mut data = config.shared_secret(name)?;
let expected_owners: Vec<String> = config
.shared_config_attr(&format!("sharedSecrets.\"{name}\".expectedOwners"))
@@ -326,14 +325,12 @@
let expected_set = expected_owners.iter().collect::<HashSet<_>>();
let should_remove = set.difference(&expected_set).next().is_some();
if set != expected_set {
- warn!("reconfiguring owners for {name}");
- let generator: Option<String> = config
- .shared_config_attr(&format!("sharedSecrets.\"{name}\".generator"))
+ let owner_dependent: bool = config
+ .shared_config_attr(&format!("sharedSecrets.\"{name}\".ownerDependent"))
.await?;
- // TODO: if !.owner_dependent
- if let Some(str) = generator {
- todo!("regenerate")
- } else {
+ if !owner_dependent {
+ warn!("reencrypting secret '{name}' for new owner set");
+ // TODO: force regeneration
if should_remove {
warn!("secret will not be regenerated for removed machines, and until host rebuild, they will still possess the ability to decode secret");
}
@@ -367,7 +364,16 @@
data.secret.secret = encrypted;
data.owners = expected_owners;
config.replace_shared(name.to_owned(), data);
+ } else if let Some(generator) = config
+ .shared_config_attr::<Option<String>>(&format!("sharedSecrets.\"{name}\".generator"))
+ .await?
+ {
+ todo!("regenerate secret {name} with {generator}");
+ } else {
+ error!("secret '{name}' should be regenerated manually");
}
+ } else {
+ info!("secret data is ok")
}
}
for k in to_remove {
cmds/fleet/src/command.rsdiffbeforeafterboth1use std::{ffi::OsStr, process::Stdio};23use anyhow::{Context, Result};4use async_trait::async_trait;5use futures::StreamExt;6use serde::{7 de::{DeserializeOwned, Visitor},8 Deserialize,9};10use tokio::{process::Command, select};11use tokio_util::codec::{BytesCodec, FramedRead, LinesCodec};12use tracing::{info, warn};1314#[async_trait]15pub trait CommandExt {16 async fn run_nix(&mut self) -> Result<()>;17 async fn run_nix_json<T: DeserializeOwned>(&mut self) -> Result<T>;18 async fn run_nix_string(&mut self) -> Result<String>;19 async fn run(&mut self) -> Result<()>;20 async fn run_json<T: DeserializeOwned>(&mut self) -> Result<T>;21 async fn run_string(&mut self) -> Result<String>;22 fn inherit_stdio(&mut self) -> &mut Self;23 fn ssh_on(host: impl AsRef<OsStr>, command: impl AsRef<OsStr>) -> Self;24}2526#[derive(Debug)]27enum LogField {28 String(String),29 Num(u64),30}3132impl<'de> Deserialize<'de> for LogField {33 fn deserialize<D>(deserializer: D) -> Result<Self, D::Error>34 where35 D: serde::Deserializer<'de>,36 {37 struct StringOrNum;38 impl<'de> Visitor<'de> for StringOrNum {39 type Value = LogField;4041 fn expecting(&self, f: &mut std::fmt::Formatter) -> std::fmt::Result {42 write!(f, "string or unsigned")43 }4445 fn visit_str<E>(self, v: &str) -> Result<Self::Value, E>46 where47 E: serde::de::Error,48 {49 Ok(LogField::String(v.to_owned()))50 }5152 fn visit_u64<E>(self, v: u64) -> Result<Self::Value, E>53 where54 E: serde::de::Error,55 {56 Ok(LogField::Num(v))57 }58 }5960 deserializer.deserialize_any(StringOrNum)61 }62}6364#[derive(Deserialize, Debug)]65#[serde(rename_all = "camelCase", tag = "action")]66#[allow(dead_code)]67enum NixLog {68 Msg {69 level: u32,70 msg: String,71 raw_msg: Option<String>,72 },73 Start {74 id: u64,75 level: u32,76 #[serde(default)]77 fields: Vec<LogField>,78 text: String,79 #[serde(rename = "type")]80 typ: u32,81 },82 Stop {83 id: u64,84 },85 Result {86 id: u64,87 #[serde(rename = "type")]88 typ: u32,89 },90}9192#[async_trait]93impl CommandExt for Command {94 async fn run_nix(&mut self) -> Result<()> {95 self.run_nix_string().await.map(|_| ())96 }97 async fn run_nix_json<T: DeserializeOwned>(&mut self) -> Result<T> {98 let str = self.run_nix_string().await?;99 serde_json::from_str(&str).with_context(|| format!("{:?}", str))100 }101102 async fn run_nix_string(&mut self) -> Result<String> {103 self.arg("--log-format").arg("internal-json");104 self.stderr(Stdio::piped());105 self.stdout(Stdio::piped());106 let mut child = self.spawn()?;107 let mut stderr = child.stderr.take().unwrap();108 let mut stdout = child.stdout.take().unwrap();109 let mut err = FramedRead::new(&mut stderr, LinesCodec::new());110 let mut out = FramedRead::new(&mut stdout, BytesCodec::new());111112 // while let Some(line) = read.next().await? {}113114 let mut out_buf = vec![];115 loop {116 select! {117 e = err.next() => {118 if let Some(e) = e {119 let e = e?;120 if let Some(e) = e.strip_prefix("@nix ") {121122 let log: NixLog = match serde_json::from_str(e) {123 Ok(l) => l,124 Err(err) => {125 warn!("failed to parse nix log line {:?}: {}", e, err);126 continue;127 },128 };129 match log {130 NixLog::Msg { msg, raw_msg, .. } => {131 if !(msg.starts_with("\u{1b}[35;1mwarning:\u{1b}[0m Git tree '") && msg.ends_with("' is dirty"))132 && !msg.starts_with("\u{1b}[35;1mwarning:\u{1b}[0m not writing modified lock file of flake")133 && msg != "\u{1b}[35;1mwarning:\u{1b}[0m \u{1b}[31;1merror:\u{1b}[0m SQLite database '\u{1b}[35;1m/nix/var/nix/db/db.sqlite\u{1b}[0m' is busy" {134 if let Some(raw_msg) = raw_msg {135 info!(target: "nix", "{raw_msg}\n{msg}")136 }else {137 info!(target: "nix", "{msg}")138139 }140 }141 },142 NixLog::Start { ref fields, typ, .. } if typ == 105 && !fields.is_empty() => {143 if let [LogField::String(drv), ..] = &fields[..] {144 info!(target: "nix","building {}", drv)145 } else {146 warn!("bad build log: {:?}", log)147 }148 },149 NixLog::Start { ref fields, typ, .. } if typ == 100 && fields.len() >= 3 => {150 if let [LogField::String(drv), LogField::String(from), LogField::String(to), ..] = &fields[..] {151 info!(target: "nix","copying {} {} -> {}", drv, from, to)152 } else {153 warn!("bad copy log: {:?}", log)154 }155 },156 NixLog::Start { text, typ, .. } if typ == 0 || typ == 102 || typ == 103 || typ == 104 => {157 if !text.is_empty() && text != "querying info about missing paths" && text != "copying 0 paths" {158 info!(target: "nix", "{}", text)159 }160 },161 NixLog::Start { text, level: 0, typ: 108, .. } if text.is_empty() => {162 // Cache lookup? Coupled with copy log163 },164 NixLog::Start { text, level: 4, typ: 109, .. } if text.starts_with("querying info about ") => {165 // Cache lookup166 }167 NixLog::Start { text, level: 4, typ: 101, .. } if text.starts_with("downloading ") => {168 // NAR downloading, coupled with copy log169 }170 NixLog::Start { text, level: 1, typ: 111, .. } if text.starts_with("waiting for a machine to build ") => {171 // Useless repeating notification about build172 }173 NixLog::Start { text, level: 3, typ: 111, .. } if text.starts_with("resolved derivation: ") => {174 // CA resolved175 }176 NixLog::Stop { .. } => {},177 NixLog::Result { .. } => {},178 _ => warn!("unknown log: {:?}", log)179 };180 } else {181 warn!(target="nix","unknown: {}", e)182 }183 }184 },185 o = out.next() => {186 if let Some(o) = o {187 out_buf.extend_from_slice(&o?);188 }189 },190 code = child.wait() => {191 let code = code?;192 if !code.success() {193 anyhow::bail!("command ({:?}) failed with status {}", self, code);194 }195 break;196 }197 }198 }199200 Ok(String::from_utf8(out_buf)?)201 }202203 fn inherit_stdio(&mut self) -> &mut Self {204 self.stderr(Stdio::inherit());205 self206 }207208 async fn run(&mut self) -> Result<()> {209 self.stderr(Stdio::piped());210 self.stdout(Stdio::piped());211 let mut child = self.spawn()?;212 let mut stderr = child.stderr.take().unwrap();213 let mut stdout = child.stdout.take().unwrap();214 let mut err = FramedRead::new(&mut stderr, LinesCodec::new());215 let mut out = FramedRead::new(&mut stdout, LinesCodec::new());216 loop {217 select! {218 e = err.next() => {219 if let Some(e) = e {220 warn!("{}", e?);221 }222 },223 o = out.next() => {224 if let Some(o) = o {225 info!("{}", o?);226 }227 },228 code = child.wait() => {229 let code = code?;230 if !code.success() {231 anyhow::bail!("command ({:?}) failed with status {}", self, code);232 }233 break;234 }235 }236 }237 Ok(())238 }239240 async fn run_json<T: DeserializeOwned>(&mut self) -> Result<T> {241 let str = self.run_string().await?;242 serde_json::from_str(&str).with_context(|| format!("{:?}", str))243 }244245 async fn run_string(&mut self) -> Result<String> {246 self.inherit_stdio();247 self.stdout(Stdio::piped());248 let out = self.spawn()?.wait_with_output().await?;249 if !out.status.success() {250 anyhow::bail!("command ({:?}) failed with status {}", self, out.status);251 }252 Ok(String::from_utf8(out.stdout)?)253 }254255 fn ssh_on(host: impl AsRef<OsStr>, command: impl AsRef<OsStr>) -> Self {256 let mut cmd = Command::new("ssh");257 cmd.arg(host).arg("--").arg(command);258 cmd259 }260}cmds/fleet/src/host.rsdiffbeforeafterboth--- a/cmds/fleet/src/host.rs
+++ b/cmds/fleet/src/host.rs
@@ -1,7 +1,7 @@
use std::{
cell::{Ref, RefCell, RefMut},
env::current_dir,
- ffi::{OsStr, OsString},
+ ffi::OsString,
io::Write,
ops::Deref,
path::PathBuf,
@@ -12,10 +12,9 @@
use clap::{ArgGroup, Parser};
use serde::de::DeserializeOwned;
use tempfile::NamedTempFile;
-use tokio::process::Command;
use crate::{
- command::CommandExt,
+ command::MyCommand,
fleetdata::{FleetData, FleetSecret, FleetSharedSecret},
};
@@ -52,24 +51,24 @@
self.opts.localhost.as_ref().map(|s| s as &str) == Some(host)
}
- pub fn command_on(&self, host: &str, program: impl AsRef<OsStr>, sudo: bool) -> Command {
- if self.is_local(host) {
- if sudo {
- let mut cmd = Command::new("sudo");
- cmd.arg(program);
- cmd
- } else {
- Command::new(program)
- }
- } else {
- let mut cmd = Command::new("ssh");
- cmd.arg(host).arg("--");
- if sudo {
- cmd.arg("sudo");
- }
- cmd.arg(program);
- cmd
+ pub async fn run_on(&self, host: &str, mut command: MyCommand, sudo: bool) -> Result<()> {
+ if sudo {
+ command = command.sudo();
+ }
+ if !self.is_local(host) {
+ command = command.ssh(host);
+ }
+ command.run().await
+ }
+ #[must_use]
+ pub async fn run_string_on(&self, host: &str, mut command: MyCommand, sudo: bool) -> Result<String> {
+ if sudo {
+ command = command.sudo();
+ }
+ if !self.is_local(host) {
+ command = command.ssh(host);
}
+ command.run_string().await
}
pub fn configuration_attr_name(&self, name: &str) -> OsString {
@@ -83,36 +82,36 @@
}
pub async fn list_hosts(&self) -> Result<Vec<String>> {
- Command::new("nix")
- .arg("eval")
+ let mut cmd = MyCommand::new("nix");
+ cmd.arg("eval")
.arg(self.configuration_attr_name("configuredHosts"))
.args(["--apply", "builtins.attrNames", "--json", "--show-trace"])
- .args(&self.nix_args)
- .run_nix_json()
+ .args(&self.nix_args);
+ cmd.run_nix_json()
.await
}
pub async fn shared_config_attr<T: DeserializeOwned>(&self, attr: &str) -> Result<T> {
- Command::new("nix")
- .arg("eval")
+ let mut cmd = MyCommand::new("nix");
+ cmd.arg("eval")
.arg(self.configuration_attr_name(&format!("configUnchecked.{}", attr)))
.args(["--json", "--show-trace"])
- .args(&self.nix_args)
- .run_nix_json()
+ .args(&self.nix_args);
+ cmd.run_nix_json()
.await
}
pub async fn shared_config_attr_names(&self, attr: &str) -> Result<Vec<String>> {
- Command::new("nix")
- .arg("eval")
+ let mut cmd = MyCommand::new("nix");
+ cmd.arg("eval")
.arg(self.configuration_attr_name(&format!("configUnchecked.{}", attr)))
.args(["--apply", "builtins.attrNames"])
.args(["--json", "--show-trace"])
- .args(&self.nix_args)
- .run_nix_json()
+ .args(&self.nix_args);
+ cmd.run_nix_json()
.await
}
pub async fn config_attr<T: DeserializeOwned>(&self, host: &str, attr: &str) -> Result<T> {
- Command::new("nix")
- .arg("eval")
+ let mut cmd = MyCommand::new("nix");
+ cmd.arg("eval")
.arg(
self.configuration_attr_name(&format!(
"configuredSystems.{}.config.{}",
@@ -120,8 +119,8 @@
)),
)
.args(["--json", "--show-trace"])
- .args(&self.nix_args)
- .run_nix_json()
+ .args(&self.nix_args);
+ cmd.run_nix_json()
.await
}
@@ -171,23 +170,20 @@
pub async fn decrypt_on_host(&self, host: &str, data: Vec<u8>) -> Result<Vec<u8>>{
let data = z85::encode(&data);
- let encoded = self.command_on(host, "fleet-install-secrets", true)
- .arg("decrypt")
- .arg("--secret")
- .arg(data).run_string().await.context("failed to call remote host for decrypt")?.trim().to_owned();
+ let mut cmd = MyCommand::new("fleet-install-secrets");
+ cmd.arg("decrypt").eqarg("--secret", data);
+ cmd = cmd.sudo().ssh(host);
+ let encoded = cmd.run_string().await.context("failed to call remote host for decrypt")?.trim().to_owned();
Ok(z85::decode(encoded).context("bad encoded data? outdated host?")?)
}
pub async fn reencrypt_on_host(&self, host: &str, data: Vec<u8>, targets: Vec<String>) -> Result<Vec<u8>>{
let data = z85::encode(&data);
- let mut recmd = self.command_on(host, "fleet-install-secrets", true);
- recmd
- .arg("reencrypt")
- .arg("--secret")
- .arg(format!("\"{}\"", data.replace('$', "\\$")));
+ let mut recmd = MyCommand::new("fleet-install-secrets");
+ recmd.arg("reencrypt").eqarg("--secret",data);
for target in targets {
- recmd.arg("--targets");
- recmd.arg(format!("\"{target}\""));
+ recmd.eqarg("--targets", target);
}
+ recmd = recmd.sudo().ssh(host);
let encoded = recmd.run_string().await.context("failed to call remote host for decrypt")?.trim().to_owned();
Ok(z85::decode(encoded).context("bad encoded data? outdated host?")?)
}
cmds/fleet/src/keys.rsdiffbeforeafterboth--- a/cmds/fleet/src/keys.rs
+++ b/cmds/fleet/src/keys.rs
@@ -1,6 +1,7 @@
use std::str::FromStr;
-use crate::{command::CommandExt, host::Config};
+use crate::command::MyCommand;
+use crate::host::Config;
use anyhow::{anyhow, Result};
use tracing::warn;
@@ -26,11 +27,9 @@
Ok(key)
} else {
warn!("Loading key for {}", host);
- let key = self
- .command_on(host, "cat", false)
- .arg("/etc/ssh/ssh_host_ed25519_key.pub")
- .run_string()
- .await?;
+ let mut cmd = MyCommand::new("cat");
+ cmd.arg("/etc/ssh/ssh_host_ed25519_key.pub");
+ let key = self.run_string_on(host, cmd, false).await?;
self.update_key(host, key.clone());
Ok(key)
}
cmds/install-secrets/src/main.rsdiffbeforeafterboth--- a/cmds/install-secrets/src/main.rs
+++ b/cmds/install-secrets/src/main.rs
@@ -250,7 +250,7 @@
if plaintext {
let s = String::from_utf8(decrypted).context("output is not utf8")?;
- print!("{}", s);
+ print!("{s}");
} else {
println!("{}", SecretWrapper(decrypted));
}
modules/fleet/secrets.nixdiffbeforeafterboth--- a/modules/fleet/secrets.nix
+++ b/modules/fleet/secrets.nix
@@ -2,15 +2,6 @@
let
sharedSecret = with types; {
options = {
- owners = mkOption {
- type = listOf str;
- description = ''
- For which owners this secret is currently encrypted,
- if not matches expectedOwners - then this secret is considered outdated, and
- should be regenerated/reencrypted
- '';
- default = [ ];
- };
expectedOwners = mkOption {
type = listOf str;
description = ''
@@ -25,12 +16,38 @@
description = "Is this secret owner-dependent, and needs to be regenerated on ownership set change, or it may be just reencrypted";
};
generator = mkOption {
- type = nullOr package;
- description = ''
- Derivation to execute for secret generation
+ type = nullOr (submodule {
+ packages = mkOption {
+ type = attrsOf package;
+ description = ''
+ Derivation to execute for shared secret generation (key = system).
+ This derivation should produce directory, with exactly two files:
+ - publicData
+ - encryptedSecretData
+
+ If null - secret value may only be created manually.
+ '';
+ };
+ expectedData = mkOption {
+ type = types.unspecified;
+ description = "Data expected to be used for secret generation, if doesn't match specified - secret should be regenerated";
+ };
+ dependencies = mkOption {
+ type = listOf str;
+ description = ''
+ List of secrets, on which this secret depends.
- If null - may only be created manually
- '';
+ During generation, generator command will be ran on host, which already has specified secrets generated.
+ '';
+ default = [];
+ };
+ data = mkOption {
+ type = types.unspecified;
+ description = "Data used for secret generation. Imported from fleet.nix";
+ default = null;
+ internal = true;
+ };
+ });
default = null;
};
expireIn = mkOption {
@@ -38,15 +55,28 @@
description = "Time in hours, in which this secret should be regenerated";
default = null;
};
+
+ owners = mkOption {
+ type = listOf str;
+ description = ''
+ For which owners this secret is currently encrypted,
+ if not matches expectedOwners - then this secret is considered outdated, and
+ should be regenerated/reencrypted.
+
+ Imported from fleet.nix
+ '';
+ default = [ ];
+ };
public = mkOption {
type = nullOr str;
- description = "Secret public data";
+ description = "Secret public data. Imported from fleet.nix";
default = null;
};
secret = mkOption {
type = nullOr str;
- description = "Encrypted secret data";
+ description = "Encrypted secret data. Imported from fleet.nix";
default = null;
+ internal = true;
};
};
};
nixos/secrets.nixdiffbeforeafterboth--- a/nixos/secrets.nix
+++ b/nixos/secrets.nix
@@ -5,14 +5,14 @@
let
sysConfig = config;
secretType = types.submodule ({ config, ... }: {
- config = rec {
- stableSecretPath = mkOptionDefault "/run/secrets/secret-stable-${config._module.args.name}";
- secretPath = mkOptionDefault "/run/secrets/secret-${config.secretHash}-${config._module.args.name}";
- secretHash = mkOptionDefault (if config.secret != null then (builtins.hashString "sha1" config.secret) else "<missingno>");
+ config = let secretName = config._module.args.name; in rec {
+ stableSecretPath = mkOptionDefault "/run/secrets/secret-stable-${secretName}";
+ secretPath = mkOptionDefault "/run/secrets/secret-${config.secretHash}-${secretName}";
+ secretHash = mkOptionDefault (if config.secret != null then (builtins.hashString "sha1" config.secret) else throw "secret is not defined for secret ${secretName}");
- stablePublicPath = mkOptionDefault "/run/secrets/public-stable-${config._module.args.name}";
- publicPath = mkOptionDefault "/run/secrets/public-${config.publicHash}-${config._module.args.name}";
- publicHash = mkOptionDefault (if config.public != null then (builtins.hashString "sha1" config.public) else "<missingno>");
+ stablePublicPath = mkOptionDefault "/run/secrets/public-stable-${secretName}";
+ publicPath = mkOptionDefault "/run/secrets/public-${config.publicHash}-${secretName}";
+ publicHash = mkOptionDefault (if config.public != null then (builtins.hashString "sha1" config.public) else throw "public is not defined for secret ${secretName}");
};
options = {
public = mkOption {
@@ -77,7 +77,13 @@
});
secretsFile = pkgs.writeTextFile {
name = "secrets.json";
- text = builtins.toJSON config.secrets;
+ text = builtins.toJSON (mapAttrs (_: value: rec {
+ inherit (value) group mode owner secret public;
+ publicPath = if public != null then value.publicPath else "/missingno";
+ stablePublicPath = if public != null then value.stablePublicPath else "/missingno";
+ secretPath = if secret != null then value.secretPath else "/missingno";
+ stableSecretPath = if secret != null then value.stableSecretPath else "/missingno";
+ }) config.secrets);
};
in
{